ECSA/LPTECSA/LPT
EC CouncilModule XII
EC-Council Customers and Legal Agreements
Module Objective
This module will deal with various legal agreements of This module will deal with various legal agreements of penetration testing.
l d f h d fIt also defines the need for penetration testing, stages of penetration testing, and the customer requirements.
It also focus on rules of behavior and risks associated with penetration testing.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module Flow
Why do Organizations Initial Stages in Create a Checklist of Why do Organizations Need Pen-Testing?
Initial Stages in Penetration Testing
Create a Checklist of Testing Requirements
Confidentiality and NDA Agreements
Penetration Testing by Third Parties
Penetration Testing ‘Rules of Behavior
Penetration Testing Contract
Liability Issues Drafting Contracts
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Why do Organizations Need Pen-Testing?Testing?
O i ti d t id t t t Organizations need an outside party to try and “break in” (do a penetration test) to prove how good they are.
Internal bureaucratic need to prove to others in the company how insecure their p ysystems are.
Legal requirements make it necessary to conduct a pen-test, such as HIPAA.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Initial Stages in Penetration TestingTesting
Checklist ofPen-Test Services
that will be Provided
Identify Customer
Requirements
Draft Legal AgreementBoth Parties Agree and Sign
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Understand Customer RequirementsRequirements
Identify what needs to be tested:
• Servers• Workstations• Routers• FirewallsFirewalls• Networking devices• Cabling• Databases
A li ti
Create a checklist of testing requirements
• Applications• Physical security
Create a checklist of testing requirements
Identify the time frame and testing hours
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Identify who will be involved in the reporting and document delivery
Create a Checklist of Testing RequirementsRequirements
Do you have any security-related policies and standards?
If so, do you want us to review them?
Do you want us to perform a review of the physical security of your servers and network infrastructure?
How many Internet domains do you have?
How many Internet hosts do you have?How many Internet hosts do you have?
Do you want us to map your Internet presence? Otherwise, can you provide us with a detailed diagram of your Internet presence, including addresses, host OS types, and software in use on the hosts?
What addresses are in use on both sides of the hosts if the connect to both the Internet and the internal What addresses are in use on both sides of the hosts if they connect to both the Internet and the internal network
Do you want us to review the security of your routers and hubs?
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
If so, how many routers and hubs exist on your network?
Create a Checklist of Testing Requirements (cont’d)Requirements (cont d)
Do you want us to perform a security review of the workstations on the network?
What operating systems are the workstations running?
How many workstations needs to be tested?How many workstations needs to be tested?
Our review will assess five or less servers of each type (NT, UNIX, and Novell); do you want us to review more than that?
If h f h?If so, how many of each?
Do you want denial-of-service testing to be conducted? This testing can have adverse effects on the systems tested. We can arrange to do this test during nonproduction hours.
Do you want us to perform a modem scan of your analog phone lines?
What kind of RAS server are you using, and how many modems are used?
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Do you want us to travel to other sites to perform assessments on systems?
Penetration Testing ‘Rules of Behavior’Rules of Behavior
Penetration ‘rules of behavior’ is a test agreement that outlines the framework for external and internal penetration testing.
Prior to testing, this agreement is signed by representatives from both the target organization and the penetration t ti i ti t th i testing organization to ensure there is a common understanding of the limitations, constraints, liabilities, and indemnification considerations.
A Release and Authorization form may be required (in addition to the ‘rules of behavior’) that states that the penetration testing organization will be held harmless and not criminally liable for unintentional interruptions and loss
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
not criminally liable for unintentional interruptions and loss or damage to equipment.
Penetration Testing Risks
Penetration testing can have serious risks if not performed correctly.g p y
Normally, companies continue to conduct business when these tests are performed.are performed.
This could impact the company if the system goes down.
Machines and systems tested could be expensive.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Penetration Testing Risks (cont’d)(cont d)
Configurations and ongoing costs are
Client databases
Configurations and ongoing costs are high electronic assets like:
• Client databases.• Proprietary codes.• Documentation.
I t ll t l t• Intellectual property.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Penetration Testing by Third PartiesParties
Reasons why organizations approach third
• To find the vulnerabilities which were not found by the i t l dit
y g ppparties for testing include:
internal audits.• To provide third-party assurances for the customers.• Scarcity of skilled pen testers to perform critical tests.• It is cost effective than recruiting skilled penetration testers• It is cost effective than recruiting skilled penetration testers.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Precautions While Outsourcing Penetration TestingPenetration Testing
Check if the service provider is misusing sensitive information obtained during penetration testing.
Ensure that the service provider does not leave any vulnerabilities.
Check that the service provider does not pass any information to the targets.
Assure that the service provider is skilled to perform the test and reports h fl h h l
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
the flaws to the management in a non-technical way.
Legal Consequences
Proper permission in writing must be obtained before the test starts:
• A request from a company employee to perform penetration test is not a valid request.
• If that person does not have the authorization and things go wrong then be prepared to pay “huge” legal fees for damages.
The authorizations must come from senior director of h d lthe company and not any employee.
Legal agreements must be signed before conducting g g g gany penetration testing.
Hi l d th h th t t
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Hire a lawyer and go through the contract.
Get Out of Jail Free Card
The “Get Out of Jail Free Card” entails a legal agreement The Get Out of Jail Free Card entails a legal agreement signed by an authorized representative of the organization.
The agreement outlines the types of activities to be performed and indemnifying the tester against any loss or damage that may result from the testingmay result from the testing.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Permitted Items in Legal AgreementAgreement
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Confidentiality and NDA Agreements Agreements
You will also be signing an agreement that guarantees that the company’s information will be treated confidentially.
It will also provide cover for a number of other key areas, such as negligence and liability in the event of something
d h iuntoward happening.
Many documents and other information regarding pen-Many documents and other information regarding pentest contain critical information that could damage one or both parties if improperly disclosed.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Non-Disclosure and Secrecy Agreements (NDA)Agreements (NDA)
Both parties bear responsibility to protect tools, techniques, l biliti d i f ti f di l b d th t vulnerabilities, and information from disclosure beyond the terms
specified by a written agreement.
Non-disclosure agreements should be narrowly drawn to protect Non-disclosure agreements should be narrowly drawn to protect sensitive information.
• Ownership.U f h l i
Specific areas to consider include:
• Use of the evaluation reports.• Results; use of the testing methodology in customer
documentation.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
The Contract
The penetration testing contract must be drafted by a lawyer and signed by the penetration tester and the company.
Th t t t l l t t th f ll i
• Objective of the penetration test.S i i i f i
The contract must clearly state the following:
• Sensitive information.• Indemnification clause.• Non-disclosure clause.• Fees and project schedule• Fees and project schedule.• Confidential information.• Reporting and responsibilities.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Sample Penetration Testing ContractContract
The client understands that Internet security is a continually growing and y y g gchanging field and that testing by XSECURITY does not mean that the client’s site is secure from every form of attack. There is no such thing as 100% security testing and for example100% security testing, and for example it is never possible to test for vulnerabilities in software or systems that are not known at the time of testing or the mathematically complete set of all possible inputs/outputs for each software component in use.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Penetration Testing Contract (cont’d)(cont d)
The provider shall be under no liability whatever to the buyer for any indirect y yloss and/or expense (including loss of profit) suffered by the buyer arising out of a breach by the provider of this contract. In the event of any breach of this contract by the provider thethis contract by the provider the remedies of the buyer shall be limited to a maximum of fees paid by the client.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Penetration Testing Contract (cont’d)(cont d)
The provider and the client have imparted and may from time to time p yimpart to each other certain confidential information relating to each other’s business including specific documentation. Each party agrees that it shall use such confidentialit shall use such confidential information solely for the purposes of the service and that it shall not disclose directly or indirectly to any third party such information either expressed or otherwise.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Sample Rules of Engagement DocumentDocument
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Liability Issues
A company’s legal liability can arise as a result of:
• (a) Standards and penalties imposed by federal, state, or local governments.
A company s legal liability can arise as a result of:
governments.• (b) Breach of contractual agreements.• (c) Other non-contractual civil wrongs (torts) ranging from fraud,
invasion of privacy, and conversion to deceptive trade practices and negligencenegligence.
• Federal and state statutes may impose both criminal penalties as well as form the basis for private lawsuits.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Negligence Claim
The negligence claim of liability is based in a charge that the company and its officers and directors acted “negligently”.
In law, “negligence” arises when a party owed a legal duty to another, that duty is breached, and the breach causes damages to the injured party:breach causes damages to the injured party:
• For example: A company is required to protect the customer database with reasonable measures.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
“Ignorance of the law is no excuse, and failure to keep pace with statutory
i i fi f li bili ”requirements is a first source of liability”
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Plan for the Worst
If you sense that something will go wrong during pen-test, then thi WILL something WILL go wrong.
Nothing can completely prevent your pen-test team from liability.Nothing can completely prevent your pen test team from liability.
Plan a crisis management and communications strategy.Plan a crisis management and communications strategy.
Lost or compromised information can invite lawsuits and create liability despite a track record showing your pen-test team exercised a liability despite a track record showing your pen test team exercised a reasonable standard of care in trying to protect information.
Avoiding liability involves planning for problems
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Avoiding liability involves planning for problems.
Drafting Contracts
The pen-test contract is the most important tool used to define and regulate the legal relationship between the penetration tester and the regulate the legal relationship between the penetration tester and the customer.
It protects both parties from
S f
It protects both parties from misunderstandings and includes various agreements, such as:
• Scope of test.• Performance Standards.• Security and Confidentiality.• Audit Information.• Reporting and Cost.• Ownership and License.• Dispute Resolution and Indemnification.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
How Much to Charge?
P i i i i i
• Pricing will usually be based on the number of man-days
Penetration testing pricing varies:
Pricing will usually be based on the number of man days required to fulfill the scope of the project
• Number of client computers to be tested• Number of server computers to be testedp• Different price for tests such as social engineering,
competitive intelligence, stealing laptops, physical security
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Summary
Penetration testing helps to trace the vulnerabilities and weaknesses existing in our network. It also enables to identify strengths, weaknesses, threats, and defenses to the network of organization from new exploits which boom daily.
Penetration ‘rules of behavior’ is a test agreement that outlines the framework for external and internal penetration testing.
“Get Out of Jail Free Card” agreement outlines the types of activities to be performed and indemnifying the tester against any loss or damage that may result from the testing.
Nondisclosure agreements (NDAs) protect an organization’s confidential information during business dealings with customers, suppliers, employees and the press.
Drafting Contract, Negligence claims are aimed to perform test under mutually agreed environment and they ensure pen-test’s success.
Plan a crisis management and communications strategy. Lost or compromised information can invite l it d t li bilit d it t k d h i t t t i d bl
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
lawsuits and create liability despite a track record showing your pen-test team exercised a reasonable standard of care in trying to protect information.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited